malwarewikiaorg-20200223-history
Sonic Gather Battle
Sonic Gather Battle is a Sonic fan game on Microsoft Windows made by Leemena Dan that contains a trojan. Not all of its effects are currently known, but it contains DRM that does malicious things to afflicted computers and makes the game itself unplayable. The game's creator apparently put the malicious code into the game to prevent people from ripping sprites from it, however, these sprites were ripped and sent to the internet. History The game itself is a fighting game, running off the Little Fighter 2 engine. It originally existed under the name SONICvsLF2, and had no malicious effects at this point in time. SONICvsLF2 in its original state was canceled after sprites were ripped from it, but it was later revived under the name Sonic Gather Battle. The game was discovered to have malicious effects in December 2017, though it may have had this behavior all the way back in 2016 without it being discovered. Behavior The game requires administrative permissions to run, which is unusual for a fan-made game. These permissions are apparently required to fix a crash at the game's loading screen, though many still find this suspicious due to the game's other behaviors. If not on internet, it will not run (according to a youtube commenter's own experience). When installed, the game will secretly open whatsmyip.org to then send the IP to a server that the game is connected to, which the creator can use to remotely disable the game. It also checks your google history, and also, the game will create a file called "b.dll", read it, and then immediately delete it, though the game's creator claims that this does not happen. It also edits the computer's registry and some small files, which the game's creator claims is "not completely done by the game" and at least partially is Windows automatically storing information. The game also apparently has an API call for raw hard disk access, which is currently believed to be used to detect if things such as hex editors or cheat engines are installed to the computer. The developer claims that the game doesn't scan installed files or registry keys, but this is just a lie like everything he said. When played without the DRM being activated, the game was fairly normal, except, of course, for the fact that it tracks browser data and has edited the computer's files. The game's DRM can be activated by running a cheat engine or having one installed, typing the game's name followed by "cheat", "hack", or "mod" into a search engine, editing its files, or possibly just from a bug. This is done by checking the names of windows, and it will automatically close any window that happens to contain keywords such as "cheat" or "hack". The creator has apparently updated the game to close the game itself rather than the browser, though the reading of other window titles is still considered intrusive. There are two effects that the DRM can have on the game itself. The first turns the game's background blue, the tiles black, plays Fakery Way... For twinkle park, and adds near-invincible red ghost enemies, effectively making the game unplayable. The second, which is triggered by trying to uninstall the game with the red ghost "protection" already activated, opening cheat engine, and others, changes the game's background color palette to be a mix of red and black, makes eyes appear on the screen, applies a red grit effect to the screen, disables the ability to pause the game, and changes the music to the Sonic CD boss theme (Usa version), with the invincible ghost enemies still appearing, but with a different appearance and in larger numbers. One person has claimed that if someone attempts to close the game after activating the DRM, an image of Big the Cat with hyper-realistic bloodshot eyes will appear (WHY BIG THE CAT?). If the game is uninstalled and reinstalled at this point, these effects will continue to happen due to the game checking the server. The effects can apparently be deactivated by contacting the game's creator for him to whitelist the computer himself via the server the game is connected to. The creator will only whitelist the computer once you prove you are innocent and not trying to hack the game. The game is no longer playable normally or installable, as the developer has no longer made it available to download, as well as manually disabled the game for everyone who had it installed. Someone reuploaded the game, and you can download it here: (DOES NOT RUN ON VIRTUAL MACHINES OR SANDBOXIE) [WARNING, USE THIS ON VIRTUAL MACHINE ONLY] Media References 2. The Old Version of 2014 is the only one that does not have virus. Category:Trojan Category:Games